No website is 100% safe, but follow these 10 steps and your Joomla! site’s security will be significantly enhanced and your paranoia about attackers reduced.
1. Keep your Joomla! version up-to-date.
This is the most important and simple way to keep your Joomla! site secure. There are constant security fixes being added to the latest versions as vulnerabilities are found and fixed, a ‘patch’ will be released periodically to resolve these issues. The Security Strike Team at Joomla! are tasked with finding vulnerabilities and submitting critical patches. Joomla! updates can be found and followed on the Joomla! website, Facebook page, Twitter, and Google+.
If you’re running Joomla! 1.0x, 1.5x, 1.5x, 1.6x or 1.7x you should really consider migrating to the latest stable version of 2.5x. The reason being the Joomla! Security Strike Team only supports the latest version with their patches. So, to stay secure with the latest updates, migrating is necessary.
The most common migration is 1.5x to 2.5x, below are instructions on the migration process. Most likely you will be able to migrate your content relatively easily and then will need to upgrade your template or select a new one that is already 2.5 ready.
3. Keep your extensions up-to-date, and only use secure third-party plugins.
One of the most common security vulnerabilities can occur through third-party extensions. Just as you keep your Joomla! version up-to-date, it is important to keep all extensions up-to-date. Additionally it is important to only use secure extensions supported by the Joomla! Extensions Directory. Using extensions from this directory is your best chance of utilizing secure add-ons. If you would like to check your used extensions for vulnerabilities, you can find a vulnerable extensions list here: http://docs.joomla.org/Vulnerable_Extensions_List
4. Secure your administrator credentials and create a private access URL.
Be sure to always use a unique and secure username and password for admin access, and if you have multiple websites be sure to make each login different.
The best way to secure your admin url is to create a secret key to access the site. For example: http://www.mysite.com/administrator/?adminaccess . This will hide your administrator URL so that you are unable to know it is a Joomla! site, and keep excessive hacker login attempts at bay.
The extension I have used in the past is jSecure found in the Joomla! extensions directory here: http://extensions.joomla.org/extensions/access-a-security/site-security/login-protection/12254
5. Use a secure hosting environment.
Use a high-quality Web host. Do not be fooled by offers of ‘unlimited bandwidth, unlimited hard drive space, unlimited databases, etc. Avoid any host that uses php safe_mode ON, this should be OFF. Make sure it is running PHP5+.
6. Use SEF URL’s or an SEF component.
Utilizing SEF (Search Engine Friendly) URL’s is a good way to mask Joomla! URL’s from attackers. A default Joomla! URL tells the visitor a lot about the page being visited, including that it is a Joomla! page and what components are being used. The default Joomla! SEF tool works great, but if you want to take it to another level of management sh404SEF by Anything Digital is a great tool. A couple security options sh404SEF offers that the default Joomla! SEF doesn’t are the option to remove the generator tag from your site showing you are running Joomla!, and it will send warnings when your site has been exposed to an attack.
7. Change file permissions to most important and common hacked entry points.
Restrict file permissions on some critical files to make it harder for a hacker to edit or overwrite your files. Here are some suggestions:
- Set the permission of /index.php to 444
- Set the permission of /configuration.php to 444
- Set the permission of /templates/*yourtemplate*/index.php to 444
- Set the permission of the folder /templates/*yourtemplate*/ to 555
8. Protect directory paths for temp and logs folders.
All configurable paths to temp and logs directories should be located outside of public_html directory. This can be achieved by editing the path in the Configuration.php, or in the Global Configuration area of your Joomla! Back-End. The path should be adjusted to http://yoursite/logs and http://yoursite/temp. Make sure to move your folders to this directory following changing the paths.
(If you have already changed your file permissions in #7, make sure to temporarily change it to 644 for editing and back to 444 once done.)
9. Keep your site backed up.
In case of any attack it is best to consistently keep a backup of your site. The best solution for this is Akeeba Backup. It will allow you to do backups locally on your server or remotely to a storage facility such as Amazon S3, or Dropbox. You can have backups pushed to these services automatically, which is helpful in guaranteeing a backup often.
Also, talk to your hosting company and see if they offer any service for daily, weekly, and monthly backups. This can be an additional emergency backup source that is well worth the minimal expense.
10. Site monitoring.
Remote monitoring is very useful to make sure there is the least amount of down time in case of an emergency. The service I recommend is Sucuri.net. They offer not only malware monitoring, but also a cleanup service for attacked sites. This is very useful if your site has been consistently hacked. Often times your files are not completely clean, and is the cause of the reoccurring attacks.
Another new option, that I have yet to try, but have recently read about, is Watchful.li by Anything Digital. This service offers notifications on updating Joomla!, outdated add-ons, remote backups, and sends messages concerning modified files. Definitely looks useful, and will be checking it out soon.
Both Sucuri and Watchful are also good options for multiple site owners, or web companies, as they offer a dashboard for mult-site management.
This article is featured in Software Developer’s Journal.